Cyber Security

Ms. Nabeela Bibi

What is cybersecurity compliance?
● Cybersecurity compliance is the practice of conforming to
established standards, regulations, and laws to protect digital
information and systems from cybersecurity threats.
● By implementing specific policies, procedures, and controls,
organizations meet the requirements set by various governing
bodies.
● This enables these organizations to demonstrate their commitment
to cybersecurity best practices and legal mandates.
Why is cybersecurity compliance important?
1. Direct financial penalties: Regulatory bodies can impose substantial fines on organizations that
neglect cybersecurity standards. According to the IBM Cost of a Data Breach Report 2023, the average
company can expect to pay approximately $40,000 USD in fines due to a data breach.
2. Operational disruptions: Incidents like ransomware attacks can halt operations, leading to significant
revenue loss.
3. Loss of customer trust: A single data breach can result in a *mass exodus of clientele, leading to
decreased revenue.
4. Reputational damage: The long-term financial effects of a tarnished(spoiled) reputation can be
devastating, from stock price drops to reduced market share.
5. Legal fees: Lawsuits from affected parties can result in additional financial burdens.
6. Recovery costs: Addressing a cyber incident, from forensic investigations to public relations efforts,
can be expensive.
7. Missed opportunities: Non-compliance can lead to lost contracts and business opportunities,
especially with entities that mandate cybersecurity standards.

*Mass exodus of clientele refers to a situation where a large number of customers or clients leave or discontinue their relationship with a
business, organization, or service provider within a relatively short period of time.
Government agencies that influence cybersecurity
regulations
● Cybersecurity and Infrastructure Security Agency (CISA) Branch of
Department of Homeland Security (DHS) that oversees cybersecurity
for critical infrastructure for the US federal government

● National Institute of Standards and Technology (NIST)Plays a key

role in the implementation of the federal cybersecurity mandate
established by the Federal Information Security Management Act
(FISMA).
Government agencies that influence cybersecurity
regulations
● International Organization for Standardization (ISO)
1. Develops and publishes international standards, including those related to information
security
2. Roughly equivalent to NIST but for European countries
3. Influence extends beyond Europe in practice though not officially
● European Union Agency for Cybersecurity (ENISA)
1. EU’s agency dedicated to achieving a high common level of cybersecurity across member
states
2. Roughly equivalent to CISA but for European states
● Department of Defense (DoD)
1. Enforces the Defense Federal Acquisition Regulation Supplement (DFARS) which
mandates NIST SP 800-171 compliance for defense contractors
2. Releases memorandums that amend other cybersecurity laws and standards specific to
the DIB, such as, the Continuous Authorization To Operate (cATO) memo
Government agencies that influence cybersecurity
regulations
● The Federal Bureau of Investigation (FBI)
1. Investigates cyber attacks, including those by nation-states, hacktivists, and criminals;
investigations can set legal precedent
2. Leads National Cyber Investigative Joint Task Force (NCIJTF) to coordinate interagency
investigation efforts
3. Collaborates with businesses, academic institutions, and other organizations to share
threat intelligence and best practices through the InfraGard program

● National Security Agency (NSA)

1. Collects and analyzes signals intelligence (SIGINT) related to cyber threats
2. Established the Cybersecurity Directorate to unify foreign intelligence and cyber defense
missions for national security systems and the defense industrial base (DIB)
3. Conducts extensive research in cybersecurity, cryptography, and related fields. Innovations
and findings from this research often influence broader cybersecurity standards and
practices
U.S. cybersecurity laws and standards to know
1. SOC 2 (System and Organization Controls 2)
1. Compliance framework for auditing and reporting on controls related to the security,
availability, confidentiality, and privacy of a system
2. Very popular certification for cloud/SaaS companies to maintain as a way to assure
clients that their information is managed in a secure and compliant manner

2. Payment Card Industry Data Security Standard (PCI DSS)

1. Establishes security standards for organizations that handle credit cards
2. Must comply with this security standard in order to process or store payment data
U.S. cybersecurity laws and standards to know
3. Health Insurance Portability and Accountability Act (HIPAA)
1. Protects the privacy and security of health information for consumers
2. Must comply with this security standard in order to process or store electronic health
records

4. NIST Cybersecurity Framework

1. Provides a policy framework to guide private sector organizations in the U.S. to assess
and improve their ability to prevent, detect, and respond to cyber incidents
2. While voluntary, many organizations adopt this framework to enhance their
cybersecurity posture
EU cybersecurity laws and standards to know
1. ISO/IEC 27001
1. An international standard that provides the criteria for establishing, implementing,
maintaining, and continuously improving a system
2. Roughly equivalent to NIST 800-37, the Risk Management Framework
3. Also includes a compliance and certification component; when combined with
ISO/IEC 27002 it is roughly equivalent to FedRAMP

2. General Data Protection Regulation (GDPR)

1. A comprehensive data protection and privacy law
2. Non-compliance can result in significant fines, up to 4% of an organization’s annual
global turnover or €20 million (whichever is greater)
SOC2
● Systems and Organization Controls (SOC) 2 is a set of compliance criteria developed by
the American Institute of Certified Public Accountants (AICPA).
• Who it’s for: Companies and their third-party partners
• Focus: Customer data management and third-party risk management
● SOC 2 evaluates a company’s security posture as it relates to five Trust Services Criteria.
Following an audit, the auditor gives the company a SOC 2 report with insight into its
cybersecurity quality as it relates to the TSC: security, availability, confidentiality,
processing integrity, and privacy.
● Despite the value it provides an organization, implementing SOC 2 can be challenging and
time-consuming. Secureframe streamlines that process, helping companies become SOC
2 compliant in record time.
ISO Standards
● The International Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC) established the ISO 27000 series to introduce
guidelines for implementing information security policies. As the international standard
for security program validity, ISO/IEC certification tells partners that you are reliable and
trustworthy.
● Specifically, ISO 27001 lists requirements for building and maintaining an information
security management system (ISMS). An ISMS is a tool used to keep information security
risk at a minimum by helping you manage people, processes, and technology.
• Who it’s for: Companies that handle sensitive data
• Focus: Building and maintaining an information security management system (ISMS)
NIST Cybersecurity Framework
● The U.S. National Institute of Standards and Technology (NIST) developed the NIST
Cybersecurity Framework (also known as the NIST Risk Management Framework) in
response to a 2013 initiative from former President Obama. The initiative called for
the government and the private sector to collaborate in the fight against cyber risk.
• Who it’s for: Anyone
• Focus: Comprehensive and personalized security weakness identification
● Compliance with the framework is voluntary. That said, NIST is widely respected for
locating security weaknesses. It can help organizations adhere to regulations, and
even offer personalized security suggestions.
HIPAA
● The Health Insurance Portability and Accountability Act (HIPAA) is a 1996 federal
statute that created standards for protecting patient health information. All
healthcare organizations must follow cybersecurity practices and run risk
assessments to comply with HIPAA.
• Who it’s for: The healthcare sector
• Focus: Protection of patient health information
● The healthcare sector is the seventh most frequent target of cyberattacks, so
organizations within the sector need to be vigilant.
PCI DSS
● The Payment Card Industry Data Security Standard (PCI DSS) was created in 2006 to
ensure that all companies that accept, process, store, or transmit credit card
information operate securely. The framework is primarily intended to keep
cardholder information safe. All companies handling this information must comply
with PCI DSS, regardless of size.
• Who it’s for: Any company handling credit card information
• Focus: Card owner information security
● Unlike government-mandated frameworks, payment brands (MasterCard, Visa, etc.)
enforce PCI DSS compliance.
GDPR
● The European Union passed the General Data Protection Regulation (GDPR) to protect
the data of EU citizens. It applies to all businesses that collect and process EU citizens’
data, whether those businesses are based in the EU or internationally. The framework
lists regulations related to consumer data access rights, data protection rights, consent,
and more. It is enforced by the Information Commissioner's Office (ICO).
• Who it’s for: All businesses that collect EU citizens’ data
• Focus: Privacy and data protection for citizens of the EU
● The regulation is extensive — 88 pages, to be exact — and ICO is notorious for heavily
fining companies that fail to comply. For example, in 2018 (the same year that GDPR was
established), the ICO fined Google €50 million.
How to streamline cybersecurity compliance in your
organization
● Determine which laws and regulations apply to your organization
● Conduct a gap analysis
● Prioritize compliance needs
● Develop a compliance roadmap
● Implement controls and solutions
● Monitor and audit
● Document everything
● Engage with stakeholders
● Review and adapt
Determine which laws and regulations apply to your
organization
● Geography
○ US-only; if your business only operates in the United States then you only need to be focused on
compliance with US laws
○ EU-only; if your business only operates in the European Union then you only need to be focused
on compliance with EU laws
○ Global; if your business operates in both jurisdictions then you’ll need to consider compliance
with both EU and US laws, as well as any other jurisdictions you operate in.
● Industry
○ Financial Services; GLBA and SOX laws but if they don’t process credit card payments they might
not need to be concerned with PCI-DSS
○ E-commerce; any organization that processes payments, especially via credit card will need to
adhere to PCI-DSS and attaining a SOC2 audit is often common.
○ Healthcare; any organization that processes or stores data that is defined as protected health
information (PHI) will need to comply with HIPAA requirements
● Business model
○ Data storage
○ Data processing
○ Data transmission
Conduct a gap analysis
● Current State Assessment: Evaluate the current cybersecurity
posture and practices against the required standards and
regulations.

● Identify Gaps: Highlight areas where the organization does not meet
required standards.

These steps can either be done manually or automatically.

Prioritize compliance needs
● Risk-based Approach: Prioritize gaps based on risk. Address high-
risk areas first.

● Business Impact: Consider the potential business impact of non-

compliance, such as fines, reputational damage, or business
disruption.
Develop a compliance roadmap
● Short-term Goals: Address immediate compliance requirements
and any quick wins.

● Long-term Goals: Plan for ongoing compliance needs, continuous

monitoring, and future regulatory changes.
Implement controls and solutions
● Technical Controls: Deploy cybersecurity solutions that align with
compliance requirements, such as encryption, firewalls, intrusion
detection systems, etc.
● Procedural Controls: Establish and document processes and
procedures that support compliance, such as incident response
plans or data handling procedures.
Monitor and audit
● Continuous Monitoring: Use tools and solutions to continuously
monitor the IT environment for compliance. Auditing an IT
environment once a year is no longer considered a best practice.

● Regular Audits: Conduct internal and external audits to ensure

compliance and identify areas for improvement.
Document everything
● Maintain comprehensive documentation of all compliance-related
activities, decisions, and justifications. This is crucial for
demonstrating compliance during audits.
Engage with stakeholders
● Regularly communicate with internal stakeholders (e.g., executive
team, IT, legal) and external ones (e.g., regulators, auditors) to
ensure alignment and address concerns.
Review and adapt
● Stay Updated: Regulatory landscapes and cybersecurity threats
evolve. Stay updated on changes to ensure continued compliance.

● Feedback Loop: Use insights from audits, incidents, and feedback to

refine the compliance strategy.
Thank you!